Managing Realms

You can manage realms by using the kdb5_util utility.

This section provides information about the following:


Creating a Realm

You can create realm using either of the following methods:

Command Line

Use the following syntax to create a realm:

kdb5_util [-D user_dn] [-h ldap_server] 
[-p ldap_port] [-t trusted_cert]

create [-subtree subtree_dn] [-sscope search_scope]
[-ldapdn ldap_server_list] [-kdcdn kdc_service_list]
[-admindn admin_service_list] [-pwddn passwd_service_list]
[-enctypes supported_enc_types] [-defenctype default_enc_type]
[-salttypes supported_salt_types] [-defsalttype default_salt_type]
[-policy policy_dn] [-up]
[-k mkeytype] [-m|-P password|-f stashfilename]
[-r realm]

For example:

kdb5_util -r ATHENA.MIT.EDU -D cn=admin,o=org -h ldap-server1.mit.edu create  
-sscope 2 -kdcdn cn=service-kdc,o=org:cn=service-kdc2,o=org -enctypes des-cbc-crc:des3-cbc-sha1 -defenctype des3-cbc-sha1 -salttypes normal:onlyrealm -defsalttype normal -policy cn=rpolicy,o=org

Output of the above command:

Password for "cn=admin,o=org": 
Initializing database for realm 'ATHENA.MIT.EDU'
Enter KDC database master key:
Re-enter KDC database master key to verify:


Table 18. Create Realm Parameter Description

Parameter Description

-subtree

Subtree where principals and other Kerberos objects in the realm are placed.

-sscope

Scope for searching the principals under the specified subtree. The parameter sscope specifies the search scope for searching the principals under the subtree specified. The possible values are 1 or one (one level), 2 or sub (subtree).

-ldapdn

List of LDAP servers that the Kerberos servers (KDC and administration servers) can contact. The list contains the DNs of the LDAP servers separated by a colon (:).

-kdcdn

List of KDC Service objects serving the realm. The list contains the DNs of the KDC Service objects separated by a colon (:).

-admindn

List of Administration Service objects serving the realm. The list contains the DNs of the Administration Service objects separated by a colon (:).

-pwddn

List of Password service objects serving the realm. The list contains the DNs of the Password service objects separated by a colon (:).

-enctypes

Encryption types supported by the realm.This is a colon-separated list.

-defenctype

Default encryption type for the realm. This is also a part of supported enctypes list.

-salttypes

Salt types supported by the realm. This is a colon-separated list.

-defsalttype

Default salt types for the realm.

-policy

Reference to a policy object (dn) that is applicable to all the principals in a realm.

-up

Specifies to use the universal password of the user as the Kerberos password for the principals in the realm.

-k

Specifies the encryption type of the master key in the database. The default is the type given in the krb5.conf file.

-m

Specifies that the master password should be read from the keyboard rather than from a file or disk.

-P

Master password.

-f

Stash file of the master password.

-r

Specifies the Kerberos realm. By default, the default_realm parameter of the krb5.conf file is used.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Click Kerberos Management > New Realm.

Refer to the iManager online help for more information.


Modifying a Realm

You can modify the realm using either of the following methods:

Command Line

Use the following syntax to modify a realm:

kdb5_util [-D user_dn] [-h ldap_server] 
[-p ldap_port] [-t trusted_cert]

modify [-subtree subtree_dn] [-sscope search_scope]
[-ldapdn ldap_server_list | [-clearldapdn ldap_server_list]
[-addldapdn ldap_server_list]] [-kdcdn kdc_service_list |
[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]
[-admindn admin_service_list | [-clearadmindn admin_service_list]
[-addadmindn admin_service_list]] [-pwddn passwd_service_list |
[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]
[-enctypes supported_enc_types | [-clearenctypes enc_type_list]
[-addenctypes enc_type_list]] [-defenctype default_enc_type]
[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]
[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]
[-policy policy_dn|-clearpolicy] [-up|-clearup] [-r realm]

For example:

kdb5_util -r ATHENA.MIT.EDU -D cn=admin,o=org modify -sscope 1 -clearkdcdn cn=service-kdc1,o=org:cn=service-kdc2,o=org -addkdcdn cn=service-kdc3,o=org:cn=servcie-kdc4,o=org -enctypes des3-hmac-sha1:des-cbc-md5 -defenctype des3-hmac-sha1 -addsalttypes v4:special -clearpolicy -up 

Output of the above command:

Password for "cn=admin,o=org":


Table 19. Modify Realm Parameter Description

Parameter Description

-subtree

Subtree containing principals and other Kerberos objects in the realm.

-sscope

Scope for searching the principals under the specified subtree. The parameter sscope specifies the search scope for searching the principals under the subtree specified. The possible values are 1 or one (one level), 2 or sub (subtree).

-ldapdn

List of LDAP servers that the Kerberos servers (KDC and administration servers) can contact. The list contains the DNs of the LDAP servers separated by a colon (:).

-clearldapdn

List of LDAP servers that need to be removed from the list. The list contains the DNs of the LDAP servers separated by a colon (:).

-addldapdn

List of LDAP servers that need to be added to the list. The list contains the DNs of the LDAP servers separated by a colon (:).

-kdcdn

List of KDC service objects serving the realm. The list contains the DNs of the KDC Service objects separated by a colon (:).

-clearkdcdn

List of KDC service objects that need to be removed from the list. The list contains the DNs of the KDC service objects separated by a colon (:).

-addkdcdn

List of KDC service objects that need to be added to the list. The list contains the DNs of the KDC service objects separated by a colon (:).

-admindn

List of Administration service objects serving the realm. The list contains the DNs of the Administration service objects separated by a colon (:).

-clearadmindn

List of Administration service objects that need to be removed from the list. The list contains the DNs of the Administration service objects separated by a colon (:).

-addadmindn

List of Administration service objects that need to be added to the list. The list contains the DNs of the Administration service objects separated by a colon (:).

-pwddn

List of Password service objects serving the realm. The list contains the DNs of the Password service objects separated by a colon (:).

-clearpwddn

List of Password service objects that need to be removed from the list. The list contains the DNs of the Administration service objects separated by a colon (:).

-addpwddn

List of Password service objects that need to be added to the list. The list contains the DNs of the Password service objects separated by a colon (:).

-enctypes

Encryption types supported by the realm.This is a colon-separated list.

-clearenctypes

Encryption types that need to be removed form the supported encryption types list of the realm. This is a a colon-separated list.

-addenctypes

Encryption types that need to be added to the supported encryption types list of the realm. This is a colon-separated list.

-defenctype

Default encryption type for the realm.

-salttypes

Salt types supported by the realm. This is a colon-separated list.

-clearsalttypes

Salt types that need to be removed from the supported salt types list of the realm. This is a colon-separated list.

-addsalttypes

Salt types that need to be added to the supported salt types list of the realm. This is a colon-separated list.

-defsalttype

Default salt types for the realm.

-policy

Reference to a policy object (dn) that is applicable to all the principals in a realm.

-up

Specifies to use the universal password of the user as the Kerberos password for the principals in the realm.

-clearup

This attribute specifies not to use the universal password of the user as the Kerberos password.

-r

Specifies the Kerberos realm. By default, the default_realm parameter of the krb5.conf file is used.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Click Kerberos Management > Edit Realm.

Refer to the iManager online help for more information.


Modifying the subtree for a realm

If you change the subtree for a realm, then the Kerberos service objects (KDC, Admin Server and Password Server) are not automatically re-assigned with the appropriate rights.

For example,

If your subtree for the realm is "ou=students,o=mit" for the realm "ATHENA.MIT.EDU" and you change it to "o=mit", then the service objects that represent the Kerberos services for your realm are not automatically assigned rights over the new subtree.

To reassign the rights over the new subtree, follow these steps:

  1. Stop the Kerberos services.

  2. Destroy the service objects.

  3. Create the service objects again.

  4. Start the Kerberos services


Modifying the search scope for a realm

If you modify the sscope for a realm, then the objects created previously under the old scope will still exist.

For example,

If your subtree is "o=mit" that has a container "ou=students,o=mit" and you change the search scope from "sub" to "one", the Kerberos principal objects that were created under "ou=students,o=mit" will still exist.


Viewing a Realm

Use the following syntax to view realms:

kdb5_util [-D user_dn] [-h ldap_server] 
[-p ldap_port] [-t trusted_cert]

view [-r realm]

For more information on the parameters, refer to Table 18, Create Realm Parameter Description.

For example:

kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu view -r ATHENA.MIT.EDU

Output of the above command:

Password for "cn=admin,o=org": 
Realm Name: ATHENA.MIT.EDU
Subtree: ou=hr,o=org
SearchScope: SUB
KDC Services: cn=service-kdc1,o=org
Admin Services: cn=admin-service,o=org
Supported Enc Types: DES cbc mode with CRC-32
DES cbc mode with RSA-MD4
DES cbc mode with RSA-MD5
Triple DES cbc mode with HMAC/sha1
AES-128 CTS mode with 96-bit SHA-1 HMAC
AES-256 CTS mode with 96-bit SHA-1 HMAC
ArcFour with HMAC/md5
Default Enc Type: Triple DES cbc mode with HMAC/sha1
Supported Salt Types: Version 5
Version 4
Version 5 - No Realm
Version 5 - Realm Only
Special
Default Salt Type: Version 5


Destroying a Realm

You can destroy a realm using either of the following methods:


Command Line

Use the following syntax to destroy a realm:

kdb5_util [-D user_dn] [-h ldap_server] 
[-p ldap_port] [-t trusted_cert]

destroy [-f] [-r realm]

For more information on the parameters, refer to Table 18, Create Realm Parameter Description.

For example:

kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU

Output of the above command:

Password for "cn=admin,o=org": 
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database of 'ATHENA.MIT.EDU'...
** Database of 'ATHENA.MIT.EDU' destroyed.

The principals associated with this realm are also deleted.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Click Kerberos Management > Delete Realm.

Refer to the iManager online help for more information.


Listing Realms

Use the following syntax to list realms:

kdb5_util [-D user_dn] [-h ldap_server] 
[-p ldap_port] [-t trusted_cert]

list

For more information on the parameters, refer to Table 18, Create Realm Parameter Description.

For example:

kdb5_util -D cn=admin,o=org list

Output of the above command:

Password for "cn=admin,o=org": 
NovellRealm
MYREALM
ATHENA.MIT.EDU
MEDIA-LAB.MIT.EDU